Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-22420 | GEN003613 | SV-45736r1_rule | ECSC-1 | Medium |
Description |
---|
Reverse-path filtering provides protection against spoofed source addresses by causing the system to discard packets with source addresses when the system has no route or if the route does not point towards the interface on which the packet arrived. Reverse-path filtering should be used whenever possible. Depending on the role of the system, reverse-path filtering may cause legitimate traffic to be discarded and should be used in a more permissive mode or not at all. |
STIG | Date |
---|---|
SUSE Linux Enterprise Server v11 for System z | 2012-12-13 |
Check Text ( C-43100r1_chk ) |
---|
Verify the system configured to use a reverse-path filter for IPv4 network traffic. # grep [01] /proc/sys/net/ipv4/conf/*/rp_filter|egrep "default|all" If all of the resulting lines do not end with "1", this is a finding. |
Fix Text (F-39136r1_fix) |
---|
Configure the system to use a reverse-path filter for IPv4 network traffic. Edit /etc/sysctl.conf and add a setting for "net.ipv4.conf.all.rp_filter=1" and "net.ipv4.conf.default.rp_filter=1". # sysctl -p |